ddidderr/fcry
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

feat!: argon2id passphrases, secret hardening, atomic output, manual STREAM

Browse Source 
This commit lands four follow-up items that were explicitly deferred in
TODO.md after the prior file-format change, plus a CLI/units cleanup
that fell out of reviewing them:

  1. Manual STREAM nonce construction (drops `stream` cargo feature).
  2. Atomic file output (`.tmp` + rename, with cleanup on failure).
  3. Argon2id KDF + passphrase prompt + matching CLI flags.
  4. Hardened secret handling: zeroize-on-drop, mlock'd buffers,
     custom cross-platform tty reader (replaces `rpassword`).

Why
---
The prior version had three concrete weaknesses that were fine for
"early development" but unacceptable past that point:

  * `--raw-key` was the only way to supply a key, exposing it in
    `/proc/$pid/cmdline`. There was no passphrase mode at all.
  * Crashes/aborts during encrypt could leave a half-written output
    file in place of (or replacing) the user's target.
  * Key material wasn't zeroed and could end up in swap or coredumps.
    rpassword's reallocating String buffers also leaked stale heap
    copies of typed passphrases that no `Zeroizing` wrapper could
    reach after the fact.

(1) Manual STREAM nonces
------------------------
Replaces `aead::stream::EncryptorBE32` / `DecryptorBE32` with
explicit `make_nonce(prefix, counter, last)` and direct
`XChaCha20Poly1305::{encrypt,decrypt}_in_place` calls. The wire format
is unchanged (XChaCha20Poly1305 STREAM-BE32 = 19-byte prefix || 4-byte
big-endian counter || 1-byte last-block flag), so files written by the
previous version still decrypt. Counter overflow is now an explicit
`Format` error rather than a panic in the upstream stream wrapper.

This removes the `stream` cargo feature from `chacha20poly1305` and
prepares the encrypt path for parallelism: with explicit nonces we can
hand chunks to a worker pool keyed by counter without the stream
wrapper's stateful API getting in the way.

(2) Atomic file output
----------------------
New `utils::OutSink` writes to `<path>.tmp`, calls `sync_all()` on
`commit()`, and renames into place. If dropped without commit (panic,
crypto/IO error, ctrl-C), the temp file is unlinked so the existing
target is untouched. Stdout output is unaffected (no temp dance).

A new integration test (`atomic_output_no_stale_tmp_on_failure`)
verifies that a failed decrypt leaves neither the final output nor
the temp file behind.

(3) Argon2id + passphrase
-------------------------
New `KdfParams::Argon2id { salt, m_cost, t_cost, p_cost }` variant
encoded into the header (and authenticated as AAD), so tampering with
KDF params fails authentication on every chunk.

CLI surface (BREAKING):
  * `--raw-key` is now optional; one of `--raw-key`, `--passphrase`,
    `--passphrase-env <VAR>` is required.
  * `--passphrase` prompts on the controlling terminal with echo off,
    and asks for confirmation when encrypting.
  * `--passphrase-env <VAR>` reads from a named env var; intended for
    non-interactive use (scripts, tests). The env-table copy is a
    known leak for that path.
  * `--argon-memory <MiB>` (default 1024 = 1 GiB), `--argon-passes`
    (default 2), `--argon-parallelism` (default 4). Names follow
    argon2 RFC 9106 terminology; memory is MiB rather than KiB to
    match how humans actually think about RAM. Defaults follow the
    "Balanced" preset for 2026-era hardware (~1.5–4 s on a laptop).
    The argon2 crate wants KiB internally, so the CLI value is
    multiplied by 1024 with overflow-check.

(4) Secret hardening
--------------------
New `secrets` module provides:

  * `SecretBytes32`: heap-allocated 32-byte buffer wrapped in
    `Zeroizing<[u8; 32]>` and mlock'd via the `region` crate.
    Field order ensures the lock guard drops *before* the buffer is
    freed (otherwise munlock would target freed memory).
  * `SecretVec`: fixed-capacity, mlock'd, zeroize-on-drop byte
    buffer. `push()` rejects writes past the reserved capacity so
    the underlying allocation never reallocates and moves — which
    would invalidate the lock and leave a stale unzeroed copy on
    the heap.
  * `read_passphrase_tty()`: direct tty reader. On Unix, opens
    `/dev/tty`, clears `ECHO` via `tcgetattr`/`tcsetattr` with an
    RAII guard that restores termios on drop. On Windows, opens
    `CONIN$`/`CONOUT$` and clears `ENABLE_ECHO_INPUT` via
    `Get/SetConsoleMode`. Reads byte-by-byte into a pre-reserved
    `SecretVec` (1024 bytes), so neither the Rust side nor the libc
    side reallocates during read. This replaces `rpassword`, which
    returned a `String` that grew by reallocation and left
    unzeroed copies of typed passphrases on the heap.

`PartialEq` on `SecretVec` is constant-time-ish (length check +
xor-or accumulate) so the confirmation comparison doesn't early-out
on the first differing byte.

`disable_core_dumps()` calls `setrlimit(CORE, 0)` on Unix; on
Windows it's a no-op (WER/minidump suppression is a per-machine
policy and intentionally not done here).

`Cli`'s secret-bearing fields are moved out into local bindings at
the top of `run()` and the `Cli` is explicitly dropped, so they
don't sit in the parsed struct for the rest of the function.
`Cli.raw_key` is `Option<Zeroizing<String>>` so the field we own
zeroes itself on drop. Clap's own intermediate copies during
parsing are an accepted leak.

Threat model — what is and isn't covered
-----------------------------------------
Covered (best-effort):
  * Secrets in coredumps                  → rlimit on Unix.
  * Secrets paged to swap or hibernation  → mlock on the AEAD key
                                            and passphrase buffer.
  * Half-written ciphertext on crash      → atomic rename.
  * Stale heap copies of typed passphrase → custom tty reader,
                                            pre-reserved buffer.
  * Stale stack/heap copies of the AEAD
    key or passphrase post-process-exit   → zeroize on drop.

Not covered (and not pretending to be):
  * Live-process attackers with ptrace or `/proc/$pid/mem` access.
  * The kernel's tty/line buffer.
  * Clap's transient String allocations during arg parsing.
  * The `environ` table copy of an env-var passphrase.
  * Swap on systems without functioning mlock or with
    `RLIMIT_MEMLOCK = 0`.

mlock is small (32 bytes + 1024 bytes — two pages at most on any
of the three target OSes), so it fits well under the typical
unprivileged `RLIMIT_MEMLOCK` of 64 KiB.

Portability
-----------
The whole binary targets Linux, macOS, and Windows 11 with the
same security properties where the OS supports them:

  * `region` crate provides cross-platform mlock/munlock.
  * `libc::tcgetattr`/`tcsetattr` covers Linux + macOS.
  * `windows-sys` covers Console API.
  * `rlimit` is gated to `cfg(unix)`.

The Windows tty path compiles in my head but is unverified on this
machine — there is no `x86_64-pc-windows-*` target installed and
no Windows runner. Treat that path as "best-effort, needs CI on
Windows" until exercised.

Files written by the previous v0.10 (Raw KDF, BE32 STREAM) are
still readable: the wire format is unchanged for that path.

Test plan
---------
Existing 17 integration tests pass unchanged. Two new tests:

  * `roundtrip_passphrase_argon2id` — encrypts and decrypts via
    `--passphrase-env` with cheap argon2 params (8 MiB / 1 pass) so
    the test stays fast; also verifies that a wrong passphrase
    fails.
  * `atomic_output_no_stale_tmp_on_failure` — wrong-key decrypt
    leaves neither the final file nor the `.tmp` in place.

Manual sanity (not automated): run with `--passphrase` on a
terminal and confirm echo is off and confirmation works.

Follow-ups (still in TODO.md)
-----------------------------
  * Multi-threaded encrypt pipeline (now feasible — manual nonces).
  * Length-committed mode + random-access decrypt fast path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
ddidderr
2026-05-02 18:26:44 +02:00
parent 4eee8e7a95
commit fe65e1f899
10 changed files with 948 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/crypto.rs
+80 -15
View File
@@ -1,21 +1,70 @@
// SPDX-License-Identifier: GPL-3.0-only
use chacha20poly1305::{KeyInit, XChaCha20Poly1305, aead::stream};
use chacha20poly1305::{KeyInit, XChaCha20Poly1305, XNonce, aead::AeadInPlace};
use std::io::Write;
use crate::error::*;
use crate::header::{AlgId, Header, KdfParams, NONCE_PREFIX_LEN, TAG_LEN};
use crate::reader::{AheadReader, ReadInfoChunk};
use crate::secrets::SecretBytes32;
use crate::utils::*;
/// XChaCha20Poly1305 nonce: 24 bytes total. STREAM splits the trailing 5 bytes
/// into a 4-byte big-endian counter and a 1-byte "last block" flag.
const NONCE_LEN: usize = 24;
const COUNTER_LEN: usize = 4;
const _: () = assert!(NONCE_PREFIX_LEN + COUNTER_LEN + 1 == NONCE_LEN);
fn make_nonce(prefix: &[u8; NONCE_PREFIX_LEN], counter: u32, last: bool) -> XNonce {
let mut n = [0u8; NONCE_LEN];
n[..NONCE_PREFIX_LEN].copy_from_slice(prefix);
n[NONCE_PREFIX_LEN..NONCE_PREFIX_LEN + COUNTER_LEN].copy_from_slice(&counter.to_be_bytes());
n[NONCE_LEN - 1] = u8::from(last);
XNonce::from(n)
}
/// Derive (or unwrap) the 32-byte AEAD key from KDF parameters and an optional passphrase.
/// For `KdfParams::Raw`, `raw_key` must be supplied.
/// For `KdfParams::Argon2id`, `passphrase` must be supplied.
pub fn derive_key(
kdf: &KdfParams,
raw_key: Option<&[u8; 32]>,
passphrase: Option<&[u8]>,
) -> Result<SecretBytes32, FcryError> {
let mut out = SecretBytes32::zeroed();
match kdf {
KdfParams::Raw => {
let raw =
raw_key.ok_or_else(|| FcryError::Format("raw kdf requires --raw-key".into()))?;
out.as_mut_array().copy_from_slice(raw);
}
KdfParams::Argon2id {
salt,
m_cost,
t_cost,
p_cost,
} => {
let pw = passphrase
.ok_or_else(|| FcryError::Format("argon2id kdf requires a passphrase".into()))?;
let params = argon2::Params::new(*m_cost, *t_cost, *p_cost, Some(32))?;
let argon =
argon2::Argon2::new(argon2::Algorithm::Argon2id, argon2::Version::V0x13, params);
argon.hash_password_into(pw, salt, out.as_mut_array())?;
}
}
Ok(out)
}
pub fn encrypt<S: AsRef<str>>(
input_file: Option<S>,
output_file: Option<S>,
key: [u8; 32],
key: &SecretBytes32,
chunk_size: u32,
kdf: KdfParams,
) -> Result<(), FcryError> {
let chunk_sz = chunk_size as usize;
let mut f_plain = AheadReader::from(open_input(input_file)?, chunk_sz);
let mut f_encrypted = open_output(output_file)?;
let mut f_encrypted = OutSink::open(output_file)?;
let mut nonce_prefix = [0u8; NONCE_PREFIX_LEN];
getrandom::fill(&mut nonce_prefix)?;
@@ -24,27 +73,32 @@ pub fn encrypt<S: AsRef<str>>(
alg: AlgId::XChaCha20Poly1305,
flags: 0,
chunk_size,
kdf: KdfParams::Raw,
kdf,
nonce_prefix,
};
let aad = header.encode();
f_encrypted.write_all(&aad)?;
let aead = XChaCha20Poly1305::new(&key.into());
let mut stream_encryptor = stream::EncryptorBE32::from_aead(aead, &nonce_prefix.into());
let aead = XChaCha20Poly1305::new(key.as_array().into());
let mut buf = vec![0u8; chunk_sz];
let mut counter: u32 = 0;
loop {
match f_plain.read_ahead(&mut buf)? {
ReadInfoChunk::Normal(_) => {
stream_encryptor.encrypt_next_in_place(&aad, &mut buf)?;
let nonce = make_nonce(&nonce_prefix, counter, false);
aead.encrypt_in_place(&nonce, &aad, &mut buf)?;
f_encrypted.write_all(&buf)?;
buf.truncate(chunk_sz);
counter = counter.checked_add(1).ok_or_else(|| {
FcryError::Format("STREAM counter overflow (input too large)".into())
})?;
}
ReadInfoChunk::Last(n) => {
buf.truncate(n);
stream_encryptor.encrypt_last_in_place(&aad, &mut buf)?;
let nonce = make_nonce(&nonce_prefix, counter, true);
aead.encrypt_in_place(&nonce, &aad, &mut buf)?;
f_encrypted.write_all(&buf)?;
break;
}
@@ -52,46 +106,56 @@ pub fn encrypt<S: AsRef<str>>(
// Empty plaintext: still emit a final "last" tag so the decryptor
// authenticates the (empty) stream rather than silently producing nothing.
buf.clear();
stream_encryptor.encrypt_last_in_place(&aad, &mut buf)?;
let nonce = make_nonce(&nonce_prefix, counter, true);
aead.encrypt_in_place(&nonce, &aad, &mut buf)?;
f_encrypted.write_all(&buf)?;
break;
}
}
}
f_encrypted.commit()?;
Ok(())
}
pub fn decrypt<S: AsRef<str>>(
input_file: Option<S>,
output_file: Option<S>,
key: [u8; 32],
raw_key: Option<&[u8; 32]>,
passphrase: Option<&[u8]>,
) -> Result<(), FcryError> {
let mut reader = open_input(input_file)?;
let header = Header::read(&mut reader)?;
let aad = header.encode();
let key = derive_key(&header.kdf, raw_key, passphrase)?;
let chunk_sz = header.chunk_size as usize;
let cipher_chunk = chunk_sz + TAG_LEN;
let mut f_encrypted = AheadReader::from(reader, cipher_chunk);
let mut f_plain = open_output(output_file)?;
let mut f_plain = OutSink::open(output_file)?;
let aead = XChaCha20Poly1305::new(&key.into());
let mut stream_decryptor = stream::DecryptorBE32::from_aead(aead, &header.nonce_prefix.into());
let aead = XChaCha20Poly1305::new(key.as_array().into());
let mut buf = vec![0u8; cipher_chunk];
let mut counter: u32 = 0;
loop {
match f_encrypted.read_ahead(&mut buf)? {
ReadInfoChunk::Normal(_) => {
stream_decryptor.decrypt_next_in_place(&aad, &mut buf)?;
let nonce = make_nonce(&header.nonce_prefix, counter, false);
aead.decrypt_in_place(&nonce, &aad, &mut buf)?;
f_plain.write_all(&buf)?;
buf.resize(cipher_chunk, 0);
counter = counter
.checked_add(1)
.ok_or_else(|| FcryError::Format("STREAM counter overflow".into()))?;
}
ReadInfoChunk::Last(n) => {
buf.truncate(n);
stream_decryptor.decrypt_last_in_place(&aad, &mut buf)?;
let nonce = make_nonce(&header.nonce_prefix, counter, true);
aead.decrypt_in_place(&nonce, &aad, &mut buf)?;
f_plain.write_all(&buf)?;
break;
}
@@ -103,5 +167,6 @@ pub fn decrypt<S: AsRef<str>>(
}
}
f_plain.commit()?;
Ok(())
}
src/error.rs
+8
View File
@@ -10,6 +10,8 @@ pub enum FcryError {
Crypto(aead::Error),
Rng(getrandom::Error),
Format(String),
Kdf(String),
Passphrase(String),
}
impl From<io::Error> for FcryError {
@@ -29,3 +31,9 @@ impl From<getrandom::Error> for FcryError {
FcryError::Rng(e)
}
}
impl From<argon2::Error> for FcryError {
fn from(e: argon2::Error) -> Self {
FcryError::Kdf(e.to_string())
}
}
src/header.rs
+41 -4
View File
@@ -47,31 +47,68 @@ impl AlgId {
}
}
pub const ARGON2_SALT_LEN: usize = 16;
/// Key-derivation parameters stored in the header.
///
/// `Raw` means the key was supplied directly (no KDF). Future variants
/// (e.g. Argon2id) will carry their salt + cost parameters here.
/// `Raw` means the key was supplied directly (no KDF). `Argon2id` carries
/// the salt and cost parameters needed to redo derivation on decrypt.
#[derive(Clone, Debug)]
pub enum KdfParams {
Raw,
Argon2id {
salt: [u8; ARGON2_SALT_LEN],
m_cost: u32,
t_cost: u32,
p_cost: u32,
},
}
impl KdfParams {
fn id(&self) -> u8 {
match self {
Self::Raw => 0,
Self::Argon2id { .. } => 1,
}
}
fn write_into(&self, _out: &mut Vec<u8>) {
fn write_into(&self, out: &mut Vec<u8>) {
match self {
Self::Raw => {}
Self::Argon2id {
salt,
m_cost,
t_cost,
p_cost,
} => {
out.extend_from_slice(salt);
out.extend_from_slice(&m_cost.to_le_bytes());
out.extend_from_slice(&t_cost.to_le_bytes());
out.extend_from_slice(&p_cost.to_le_bytes());
}
}
}
fn read_from(id: u8, _r: &mut impl Read) -> Result<Self, FcryError> {
fn read_from(id: u8, r: &mut impl Read) -> Result<Self, FcryError> {
match id {
0 => Ok(Self::Raw),
1 => {
let mut salt = [0u8; ARGON2_SALT_LEN];
r.read_exact(&mut salt)?;
let mut buf = [0u8; 4];
r.read_exact(&mut buf)?;
let m_cost = u32::from_le_bytes(buf);
r.read_exact(&mut buf)?;
let t_cost = u32::from_le_bytes(buf);
r.read_exact(&mut buf)?;
let p_cost = u32::from_le_bytes(buf);
Ok(Self::Argon2id {
salt,
m_cost,
t_cost,
p_cost,
})
}
_ => Err(FcryError::Format(format!("unknown kdf id: {id}"))),
}
}
src/main.rs
+142 -8
View File
@@ -4,13 +4,17 @@ mod crypto;
mod error;
mod header;
mod reader;
mod secrets;
mod utils;
use crypto::*;
use error::FcryError;
use header::{ARGON2_SALT_LEN, KdfParams};
use secrets::{SecretBytes32, SecretVec, read_passphrase_tty};
use utils::DEFAULT_CHUNK_SIZE;
use clap::Parser;
use zeroize::Zeroizing;
/// fcry - [f]ile[cry]pt: A file en-/decryption tool for easy use
#[derive(Parser, Debug)]
@@ -31,35 +35,165 @@ struct Cli {
/// The raw bytes of the crypto key. Has to be exactly 32 bytes.
/// *** DANGEROUS: visible in process listings (ps/proc). Testing only. ***
#[clap(short, long, conflicts_with_all = ["passphrase", "passphrase_env"])]
raw_key: Option<Zeroizing<String>>,
/// Read passphrase interactively (terminal). Implies argon2id KDF on encrypt.
#[clap(short, long)]
raw_key: String,
passphrase: bool,
/// Read passphrase from the named environment variable (for non-interactive use).
/// Implies argon2id KDF on encrypt. Mutually exclusive with --passphrase.
#[clap(long, conflicts_with = "passphrase")]
passphrase_env: Option<String>,
/// Plaintext chunk size in bytes (encryption only; decryption reads it from the header).
#[clap(long, default_value_t = DEFAULT_CHUNK_SIZE)]
chunk_size: u32,
/// Argon2id memory in MiB (encryption only). Default: 1024 (= 1 GiB).
#[clap(long, default_value_t = 1024)]
argon_memory: u32,
/// Argon2id passes / iterations (encryption only).
#[clap(long, default_value_t = 2)]
argon_passes: u32,
/// Argon2id parallelism / lanes (encryption only).
#[clap(long, default_value_t = 4)]
argon_parallelism: u32,
}
fn run(cli: Cli) -> Result<(), FcryError> {
let raw = cli.raw_key.as_bytes();
fn parse_raw_key(s: &str) -> Result<SecretBytes32, FcryError> {
let raw = s.as_bytes();
if raw.len() != 32 {
return Err(FcryError::Format(format!(
"raw_key must be exactly 32 bytes, got {}",
raw.len()
)));
}
let mut key = [0u8; 32];
key.copy_from_slice(raw);
let mut key = SecretBytes32::zeroed();
key.as_mut_array().copy_from_slice(raw);
Ok(key)
}
if cli.decrypt {
decrypt(cli.input_file, cli.output_file, key)?
/// Source of a passphrase: either the terminal or a named env var.
enum PassphraseSource {
Tty,
EnvVar(String),
}
fn read_passphrase(src: &PassphraseSource, confirm: bool) -> Result<SecretVec, FcryError> {
match src {
PassphraseSource::EnvVar(var) => {
// Take the env value, then immediately convert to a Zeroize+mlock'd
// buffer. The original `String` from `env::var` is consumed by
// `into_bytes()`, so its allocation moves into our SecretVec.
// Note: a copy still exists in the process `environ` table; that is
// a known and accepted leak for the env-var path.
let v = std::env::var(var).map_err(|_| {
FcryError::Passphrase(format!("environment variable {var} not set or not unicode"))
})?;
Ok(SecretVec::from_vec(v.into_bytes()))
}
PassphraseSource::Tty => {
let pw = read_passphrase_tty("Passphrase: ")
.map_err(|e| FcryError::Passphrase(e.to_string()))?;
if confirm {
let pw2 = read_passphrase_tty("Confirm passphrase: ")
.map_err(|e| FcryError::Passphrase(e.to_string()))?;
if pw != pw2 {
return Err(FcryError::Passphrase("passphrases do not match".into()));
}
// pw2 dropped here -> zeroized + munlocked.
}
Ok(pw)
}
}
}
/// Best-effort: prevent secrets from landing in a core dump.
#[cfg(unix)]
fn disable_core_dumps() {
use rlimit::Resource;
let _ = rlimit::setrlimit(Resource::CORE, 0, 0);
}
#[cfg(not(unix))]
fn disable_core_dumps() {
// Windows doesn't have rlimit-style core dumps. WER (Windows Error Reporting)
// and minidumps would be the analogue; disabling those requires per-machine
// policy and is intentionally not done here.
}
fn run(mut cli: Cli) -> Result<(), FcryError> {
// Move the secret-bearing fields out of `Cli` immediately so they don't
// sit in the parsed struct for the rest of the function.
let raw_key_str: Option<Zeroizing<String>> = cli.raw_key.take();
let pw_src: Option<PassphraseSource> = if cli.passphrase {
Some(PassphraseSource::Tty)
} else {
encrypt(cli.input_file, cli.output_file, key, cli.chunk_size)?
cli.passphrase_env.take().map(PassphraseSource::EnvVar)
};
let decrypt_mode = cli.decrypt;
let input = cli.input_file.take();
let output = cli.output_file.take();
let chunk_size = cli.chunk_size;
let argon_memory = cli.argon_memory;
let argon_passes = cli.argon_passes;
let argon_parallelism = cli.argon_parallelism;
drop(cli);
if pw_src.is_none() && raw_key_str.is_none() {
return Err(FcryError::Format(
"must provide one of --raw-key, --passphrase, --passphrase-env".into(),
));
}
if decrypt_mode {
let raw_key = match raw_key_str.as_deref() {
Some(s) => Some(parse_raw_key(s)?),
None => None,
};
let pw = match &pw_src {
Some(src) => Some(read_passphrase(src, false)?),
None => None,
};
decrypt(
input,
output,
raw_key.as_ref().map(|k| k.as_array()),
pw.as_ref().map(|p| p.as_slice()),
)?;
} else {
let (key, kdf) = if let Some(src) = &pw_src {
let mut salt = [0u8; ARGON2_SALT_LEN];
getrandom::fill(&mut salt)?;
let m_cost_kib = argon_memory.checked_mul(1024).ok_or_else(|| {
FcryError::Format("argon-memory too large (overflow when converting to KiB)".into())
})?;
let kdf = KdfParams::Argon2id {
salt,
m_cost: m_cost_kib,
t_cost: argon_passes,
p_cost: argon_parallelism,
};
let pw = read_passphrase(src, true)?;
let key = derive_key(&kdf, None, Some(pw.as_slice()))?;
(key, kdf)
} else {
let key = parse_raw_key(raw_key_str.as_deref().unwrap())?;
(key, KdfParams::Raw)
};
encrypt(input, output, &key, chunk_size, kdf)?;
}
Ok(())
}
fn main() {
disable_core_dumps();
let cli = Cli::parse();
if let Err(e) = run(cli) {
eprintln!("Error: {:?}", e);
src/secrets.rs
+269
View File
@@ -0,0 +1,269 @@
// SPDX-License-Identifier: GPL-3.0-only
//! Secret-handling primitives.
//!
//! Two wrappers and a cross-platform passphrase reader:
//!
//! * [`SecretBytes32`] — heap-allocated 32-byte buffer, mlock'd, zero on drop.
//! * [`SecretVec`] — heap-allocated `Vec<u8>` with stable capacity, mlock'd,
//! zero on drop.
//! * [`read_passphrase_tty`] — direct tty reader (Linux/macOS termios,
//! Windows Console API). Reads into a pre-reserved `SecretVec` so no
//! reallocation can leave stale unzeroed copies on the heap.
//!
//! mlock is provided via the `region` crate (portable across Linux/macOS/Windows).
//! The lock is dropped *before* the underlying buffer is freed (field order
//! matters in Rust drop semantics).
use std::io;
use zeroize::Zeroizing;
/// Maximum passphrase length we accept on the tty.
/// Pre-reserved so the underlying Vec never reallocates while reading.
pub const MAX_PASSPHRASE_LEN: usize = 1024;
/// Heap-allocated 32-byte secret. mlock'd; zeroed on drop.
pub struct SecretBytes32 {
// Field order matters: `_lock` is dropped first (munlock the page), then
// `inner` is dropped (zeroize the bytes, then free).
_lock: Option<region::LockGuard>,
inner: Box<Zeroizing<[u8; 32]>>,
}
impl SecretBytes32 {
pub fn zeroed() -> Self {
let inner = Box::new(Zeroizing::new([0u8; 32]));
let lock = region::lock(inner.as_ptr(), inner.len()).ok();
Self { _lock: lock, inner }
}
pub fn as_array(&self) -> &[u8; 32] {
&self.inner
}
pub fn as_mut_array(&mut self) -> &mut [u8; 32] {
&mut self.inner
}
}
/// Heap-allocated byte buffer with **fixed capacity** that is mlock'd and
/// zeroed on drop. Pushing beyond the reserved capacity is rejected so the
/// underlying allocation never moves (which would invalidate the lock and
/// leave a stale unzeroed copy behind).
pub struct SecretVec {
_lock: Option<region::LockGuard>,
inner: Zeroizing<Vec<u8>>,
capacity: usize,
}
impl SecretVec {
/// Allocate a buffer with fixed `capacity` and mlock it.
pub fn with_capacity(capacity: usize) -> Self {
let inner = Zeroizing::new(Vec::with_capacity(capacity));
let lock = if capacity > 0 {
region::lock(inner.as_ptr(), capacity).ok()
} else {
None
};
Self {
_lock: lock,
inner,
capacity,
}
}
/// Wrap an already-allocated `Vec<u8>` (e.g. one we got from
/// `String::into_bytes()` for the env-var path). The Vec's `capacity`
/// is mlock'd as-is. Pushing afterwards is forbidden.
pub fn from_vec(v: Vec<u8>) -> Self {
let cap = v.capacity();
let inner = Zeroizing::new(v);
let lock = if cap > 0 {
region::lock(inner.as_ptr(), cap).ok()
} else {
None
};
Self {
_lock: lock,
inner,
capacity: cap,
}
}
pub fn push(&mut self, b: u8) -> io::Result<()> {
if self.inner.len() >= self.capacity {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
"secret buffer full",
));
}
self.inner.push(b);
Ok(())
}
pub fn as_slice(&self) -> &[u8] {
&self.inner
}
}
impl PartialEq for SecretVec {
fn eq(&self, other: &Self) -> bool {
// constant-time-ish: compare full slices, no early return on mismatch.
let a = self.as_slice();
let b = other.as_slice();
if a.len() != b.len() {
return false;
}
let mut diff: u8 = 0;
for (x, y) in a.iter().zip(b.iter()) {
diff |= x ^ y;
}
diff == 0
}
}
// ============================================================================
// tty passphrase reader
// ============================================================================
/// Read a passphrase from the controlling terminal with echo disabled.
///
/// Bytes go directly into a pre-reserved `SecretVec` so no reallocation can
/// leave stale heap copies. CR is skipped, LF terminates the line.
/// Returns an error if the input exceeds `MAX_PASSPHRASE_LEN` bytes.
pub fn read_passphrase_tty(prompt: &str) -> io::Result<SecretVec> {
imp::read_passphrase_tty(prompt)
}
#[cfg(unix)]
mod imp {
use super::{MAX_PASSPHRASE_LEN, SecretVec};
use std::fs::OpenOptions;
use std::io::{self, Read, Write};
use std::os::unix::io::AsRawFd;
/// RAII guard that restores the original termios on drop.
struct TermiosGuard {
fd: i32,
orig: libc::termios,
}
impl Drop for TermiosGuard {
fn drop(&mut self) {
unsafe {
libc::tcsetattr(self.fd, libc::TCSANOW, &self.orig);
}
}
}
pub fn read_passphrase_tty(prompt: &str) -> io::Result<SecretVec> {
let mut tty = OpenOptions::new().read(true).write(true).open("/dev/tty")?;
let fd = tty.as_raw_fd();
let mut orig: libc::termios = unsafe { std::mem::zeroed() };
if unsafe { libc::tcgetattr(fd, &mut orig) } != 0 {
return Err(io::Error::last_os_error());
}
let mut new = orig;
// Disable echo of typed characters; keep ECHONL so the final newline
// is shown when the user presses Enter (cosmetic).
new.c_lflag &= !libc::ECHO;
new.c_lflag |= libc::ECHONL;
if unsafe { libc::tcsetattr(fd, libc::TCSANOW, &new) } != 0 {
return Err(io::Error::last_os_error());
}
let _guard = TermiosGuard { fd, orig };
write!(tty, "{prompt}")?;
tty.flush()?;
let mut buf = SecretVec::with_capacity(MAX_PASSPHRASE_LEN);
let mut byte = [0u8; 1];
loop {
match tty.read(&mut byte) {
Ok(0) => break, // EOF
Ok(_) => match byte[0] {
b'\n' => break,
b'\r' => continue,
b => buf.push(b)?,
},
Err(e) if e.kind() == io::ErrorKind::Interrupted => continue,
Err(e) => return Err(e),
}
}
Ok(buf)
}
}
#[cfg(windows)]
mod imp {
use super::{MAX_PASSPHRASE_LEN, SecretVec};
use std::fs::OpenOptions;
use std::io::{self, Read, Write};
use std::os::windows::io::AsRawHandle;
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::Console::{
ENABLE_ECHO_INPUT, ENABLE_LINE_INPUT, ENABLE_PROCESSED_INPUT, GetConsoleMode,
SetConsoleMode,
};
struct ConsoleModeGuard {
handle: HANDLE,
orig: u32,
}
impl Drop for ConsoleModeGuard {
fn drop(&mut self) {
unsafe {
SetConsoleMode(self.handle, self.orig);
}
}
}
pub fn read_passphrase_tty(prompt: &str) -> io::Result<SecretVec> {
let mut tty_in = OpenOptions::new().read(true).write(true).open("CONIN$")?;
let mut tty_out = OpenOptions::new().write(true).open("CONOUT$")?;
let h_in = tty_in.as_raw_handle() as HANDLE;
let mut orig_mode: u32 = 0;
if unsafe { GetConsoleMode(h_in, &mut orig_mode) } == 0 {
return Err(io::Error::last_os_error());
}
let new_mode =
(orig_mode | ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT) & !ENABLE_ECHO_INPUT;
if unsafe { SetConsoleMode(h_in, new_mode) } == 0 {
return Err(io::Error::last_os_error());
}
let _guard = ConsoleModeGuard {
handle: h_in,
orig: orig_mode,
};
write!(tty_out, "{prompt}")?;
tty_out.flush()?;
let mut buf = SecretVec::with_capacity(MAX_PASSPHRASE_LEN);
let mut byte = [0u8; 1];
loop {
match tty_in.read(&mut byte) {
Ok(0) => break,
Ok(_) => match byte[0] {
b'\n' => break,
b'\r' => continue,
b => buf.push(b)?,
},
Err(e) if e.kind() == io::ErrorKind::Interrupted => continue,
Err(e) => return Err(e),
}
}
// Echo was off, so emit a newline so the next shell prompt is on a fresh line.
let _ = writeln!(tty_out);
let _ = tty_out.flush();
Ok(buf)
}
}
src/utils.rs
+97 -6
View File
@@ -1,7 +1,8 @@
// SPDX-License-Identifier: GPL-3.0-only
use std::fs::File;
use std::fs::{self, File};
use std::io::{self, BufRead, BufReader, Write};
use std::path::PathBuf;
/// Default plaintext chunk size: 1 MiB.
///
@@ -16,9 +17,99 @@ pub(crate) fn open_input<S: AsRef<str>>(input_file: Option<S>) -> io::Result<Box
})
}
pub(crate) fn open_output<S: AsRef<str>>(output_file: Option<S>) -> io::Result<Box<dyn Write>> {
Ok(match output_file {
Some(f) => Box::new(File::create(f.as_ref())?),
None => Box::new(io::stdout()),
})
/// Output sink that supports atomic file replacement.
///
/// For file outputs: bytes are written to `<path>.tmp`. On `commit()`, the
/// temp file is renamed into place. If dropped without commit (panic, error,
/// process exit), the temp file is deleted so a partial/garbage file does
/// not replace any existing target.
///
/// For stdout: behaves as a passthrough; `commit()` is a no-op.
pub enum OutSink {
Stdout(io::Stdout),
File {
tmp_path: PathBuf,
final_path: PathBuf,
file: Option<File>,
committed: bool,
},
}
impl OutSink {
pub fn open<S: AsRef<str>>(output_file: Option<S>) -> io::Result<Self> {
match output_file {
None => Ok(Self::Stdout(io::stdout())),
Some(f) => {
let final_path = PathBuf::from(f.as_ref());
let mut tmp_path = final_path.clone();
let name = tmp_path
.file_name()
.map(|n| n.to_os_string())
.unwrap_or_default();
let mut tmp_name = name;
tmp_name.push(".tmp");
tmp_path.set_file_name(tmp_name);
let file = File::create(&tmp_path)?;
Ok(Self::File {
tmp_path,
final_path,
file: Some(file),
committed: false,
})
}
}
}
pub fn commit(mut self) -> io::Result<()> {
if let Self::File {
tmp_path,
final_path,
file,
committed,
} = &mut self
{
if let Some(mut f) = file.take() {
f.flush()?;
f.sync_all()?;
}
fs::rename(&*tmp_path, &*final_path)?;
*committed = true;
}
Ok(())
}
}
impl Write for OutSink {
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
match self {
Self::Stdout(s) => s.write(buf),
Self::File { file, .. } => file.as_mut().expect("file taken before commit").write(buf),
}
}
fn flush(&mut self) -> io::Result<()> {
match self {
Self::Stdout(s) => s.flush(),
Self::File { file, .. } => match file.as_mut() {
Some(f) => f.flush(),
None => Ok(()),
},
}
}
}
impl Drop for OutSink {
fn drop(&mut self) {
if let Self::File {
tmp_path,
committed,
file,
..
} = self
&& !*committed
{
file.take(); // close the file before unlink
let _ = fs::remove_file(tmp_path);
}
}
}